Why giving up your phone number can mean giving up your privacy

By Nancy Lloyd

Nov 26, 2016 | 3:00 AM

After changing his phone number, Rep. Ted Lieu, shown in this 2014 file photo, discovered a surprising downside to two-factor authentication. Whoever wound up with his old phone number likely received log-in prompts linked to his account. (Bob Chamberlin / Los Angeles Times)

Forget divorce or the dissolution of a business partnership. In 2017, your most unpredictable, time-consuming and financially perilous breakup may be with your old phone number.

Surrendering your digits can be more problematic than losing your phone. On most smartphones, a quick security wipe can remove all personal data — and it can even be done remotely if your phone is lost or stolen. But give up your phone number and the burden is on you to find every business, person and entity that links that number to your life — your finances, medical records, email or social media accounts, business contacts, and much more — and remove it at each place.

Advertisement

If you miss any, your life can become an open book for whoever gets assigned your old number. This stranger could receive texts, photos and voicemails meant for you, and even the temporary passcodes you need to log in to your secure accounts.

I recently got a new phone number, which was in fact a recycled one. Soon I received texts and voicemails intended for the woman who gave up my number, including blood test results, spa confirmations outlining where she would be and when, and an invitation for a job interview.

Deleting these messages would not stop them from coming, nor inform businesses they were sending private information to the wrong person. Phoning the callers and texters to say she no longer had this number elicited reactions ranging from apologetic to suspicious. Still, I hoped that when they saw her again — to maintain the integrity of their medical and business records — they would at least ask her, "What is your current number?"

Making a clean break from your old number starts with legwork.

"People should track down all the places their number might be, including doctors' offices, pharmacies and schools, and contact them if you need to change your number," said security expert and the Federal Trade Commission's chief technologist, Lorrie Cranor. "It can be especially hard to update your number at the doctor's office or other places where information is [not online but] still in file folders."

Phone numbers have become the keys to unlocking an array of personal information. If you have called your credit-card company and been greeted by an automated message stating it recognized your phone number and then spewed your account balance and available credit without requiring you to speak with a person, you have experienced firsthand your 10 digits being used as an identifier, like a Social Security number.

The big difference? Your Social Security number cannot be reassigned to anyone else, but your relinquished phone number quickly can be reassigned to a stranger. "Carriers must put residential numbers back into use within 90 days," said Mark Wigfield, a Federal Communications Commission spokesman. "That's to preserve numbers [and] avoid opening up new area codes, which is often a source of consumer confusion and complaints."

Following a high-profile hack this summer, Congressman Ted Lieu (D-Torrance) was advised to change his phone number. "It's laborious because so many things are tied to it," said Lieu, who holds a computer science degree from Stanford University. To boost the security on his financial, social media and email accounts, years ago he opted not to settle for a standard logon but to add a second layer of security, called two-factor authentication. With it, he must enter his username and password, as well as a temporary string of numbers that is sent to his phone. But that security measure wound up being the "most troubling part" of changing numbers, he said. "If you don't [notify all] your financial institutions, two-factor authentications could go to a complete stranger and you could get locked out of your accounts."

Or, worse, two-factor authentications could be combined with personal information contained in texts and voicemails sent to your old number to hack your accounts. "If fraud or identity theft is the result of a phone number reassignment, the victim is very unlikely to know it," said Morgan Cordary, outreach coordinator for the consumer advocacy organization Privacy Rights Clearinghouse. "Most people do not know how it happened … only that they need help."

In March, using a fake ID at a mobile phone store, a thief posed as Lorrie Cranor and conned sales staff into remotely deactivating the SIM cards in both Cranor's phone and her husband's, and reactivating their numbers in two new iPhones fraudulently charged to Cranor's account. To decrease the odds of someone hijacking her wireless account again, Cranor, a security expert, added a personal identification number to her account that differs from her Social Security number. But she rejected new phone numbers and fought to get her stolen ones back. "I had my number a long time and didn't want to go through [the hassle] of trying to remove it at so many places," she said.

There can be no way to know where, exactly, your number is on file.

Before cutting the cord on my landline, I ported the number to a cellphone. Only then did I discover that, although landlines cannot receive texts and I never signed up for any, a bank and a pharmacy were sending them anyway. Had I given up the landline without first porting it, texts meant for me would have gone to the cellphone of the stranger who got reassigned my former number. And I never would have known.

Trying to find and update your phone number at every place that stores it is a scavenger hunt that most people will lose.

"The burden should be on businesses to verify annually that the number in their records still belongs to that customer," said Harold Feld, senior vice president of Public Knowledge, a digital rights advocacy organization. "But merely sending a text to a phone number isn't enough; a person who subsequently got reassigned that number could [fraudulently] pose as that customer, rendering that verification meaningless."

Advertisement

Even if you notify all your contacts, many people and places won't bother removing or replacing an old phone number. So, the person who gets your old number also will likely get texts and voicemails from your friends, relatives, bosses, clients, colleagues, your kids' school, airlines, hotels or elsewhere. With your old number displayed as this stranger's caller ID, he or she can pose as you while responding with impunity to them.

A privacy breach is a small price to pay for one large group of digit ditchers: people evading debt collectors.

After Gerri Detweiler got her then-11-year-old daughter a cellphone, debt collectors hounded the girl for two years looking for the woman who previously had that number.

"It was frustrating," recalled Detweiler. "Many calls were automated and didn't let me talk to a person … unless I pressed '1' and falsely admitted I was the woman they were looking for." She recently Googled her daughter's number and discovered that the woman who gave it up had a criminal past. "Before I accept any new number I will put it into multiple search engines to try to avoid problems," she said.